Community ForumCommunity Wiki * Blog Home  * Log in
« »

MPLS VPN with BGP Customers

posted in Cisco Networking, Technical
by on November 23rd, 2010 tags: , , ,


Objectives

Company 1 and Company 2 have decided to sign up with ISP for their MPLS VPN service to connect their two sites. CE routers IP addresses and routing protocols are already configured. ISP already has MPLS and iBGP peering between the PE routers configured.

We will complete these six steps to complete and verify the setup of a MPLS VPN for C1 and C2:

  1. Configure C1 and C2 VRFs on PE1 and PE2 router. Assign a RD and RT for each VRF
  2. Configure PE1 and PE2 CE-facing interfaces
  3. MP-BGP IPv4 address family BGP configuration
  4. Verification of configuration for both C1 and C2
  5. Remove TTL propagation so that P routers are hidden from customer during traceroutes
  6. MD5 authentication added to LDP sessions for PE1-P and PE2-P

Topology

MPLS VPN with BGP Customers

Step 1

First we will configure the necessary VRFs for the customers.

PE1(config)#ip vrf C1
PE1(config-vrf)# rd 65001:1
PE1(config-vrf)# route-target export 65001:1
PE1(config-vrf)# route-target import 65001:1
PE1(config-vrf)#ip vrf C2
PE1(config-vrf)# rd 65001:2
PE1(config-vrf)# route-target export 65001:2
PE1(config-vrf)# route-target import 65001:2
PE2(config)#ip vrf C1
PE2(config-vrf)# rd 65001:1
PE2(config-vrf)# route-target export 65001:1
PE2(config-vrf)# route-target import 65001:1
PE2(config-vrf)#ip vrf C2
PE2(config-vrf)# rd 65001:2
PE2(config-vrf)# route-target export 65001:2
PE2(config-vrf)# route-target import 65001:2

Step 2

Now we are going to configure the CE-facing interfaces on the PE routers with the IP addresses and put them in the correct VRFs.

PE1(config-vrf)#interface FastEthernet0/0
PE1(config-if)# ip vrf forwarding C1
PE1(config-if)# ip address 172.17.0.0 255.255.255.254
PE1(config-if)#interface FastEthernet2/0
PE1(config-if)# ip vrf forwarding C2
PE1(config-if)# ip address 172.17.0.4 255.255.255.254
PE2(config-vrf)#interface FastEthernet0/0
PE2(config-if)# ip vrf forwarding C2
PE2(config-if)# ip address 172.17.0.2 255.255.255.254
PE2(config-if)#interface FastEthernet1/0
PE2(config-if)# ip vrf forwarding C1
PE2(config-if)# ip address 172.17.0.6 255.255.255.254

Step 3

Next we setup the MP-BGP address families for each customer. Customer 2 has an extra command because their sites are using the same AS number. The as-override command will rewrite the AS_PATH so that if it contains the AS number for the customer, it will override the AS number with the providers AS number. This allows the customer to use the same AS number at both sites and get around the route being denied due to the customer AS number already being in the AS_PATH.

PE1(config-if)#router bgp 65001
PE1(config-router)# address-family ipv4 vrf C1
PE1(config-router-af)# redistribute connected
PE1(config-router-af)# neighbor 172.17.0.1 remote-as 65101
PE1(config-router-af)# neighbor 172.17.0.1 activate
PE1(config-router)# address-family ipv4 vrf C2
PE1(config-router-af)# redistribute connected
PE1(config-router-af)# neighbor 172.17.0.5 remote-as 65200
PE1(config-router-af)# neighbor 172.17.0.5 activate
PE1(config-router-af)# neighbor 172.17.0.5 as-override
PE2(config-if)#router bgp 65001
PE2(config-router)# address-family ipv4 vrf C1
PE2(config-router-af)# redistribute connected
PE2(config-router-af)# neighbor 172.17.0.7 remote-as 65102
PE2(config-router-af)# neighbor 172.17.0.7 activate
PE2(config-router)# address-family ipv4 vrf C2
PE2(config-router-af)# redistribute connected
PE2(config-router-af)# neighbor 172.17.0.3 remote-as 65200
PE2(config-router-af)# neighbor 172.17.0.3 activate
PE2(config-router-af)# neighbor 172.17.0.3 as-override

Step 4

Verification that the setup is complete is next. We can do this with traceroute.

C1S1#traceroute 10.0.1.1 numeric

Type escape sequence to abort.
Tracing the route to 10.0.1.1

  1 172.17.0.0 24 msec 20 msec 8 msec
  2 172.16.1.0 [MPLS: Labels 17/19 Exp 0] 12 msec 36 msec 28 msec
  3 172.17.0.6 [AS 65001] [MPLS: Label 19 Exp 0] 40 msec 12 msec 24 msec
  4 172.17.0.7 [AS 65001] 52 msec *  20 msec
C2S2#traceroute 192.168.0.1 numeric

Type escape sequence to abort.
Tracing the route to 192.168.0.1

  1 172.17.0.4 24 msec 36 msec 20 msec
  2 172.16.1.0 [MPLS: Labels 17/22 Exp 0] 20 msec 40 msec 28 msec
  3 172.17.0.2 [AS 65001] [MPLS: Label 22 Exp 0] 48 msec 32 msec 28 msec
  4 172.17.0.3 [AS 65001] 12 msec *  32 msec

Everything appears to be working.

Step 5

ISP does not want their P routers showing up in the customers traceroutes(i.e. 176.16.1.0 hop shown in step 4 traceroutes). ISP does want the P routers to show when a traceroute is performed from the PE routers.

PE1(config)#no mpls ip propagate-ttl forwarded
PE2(config)#no mpls ip propagate-ttl forwarded

If the forwarded keyword is not on the end of the configuration command then the P routers would not show up from C, CE, and PE routers when performing a tracroute. Let us take a look now at what the results are from a traceroute at a CE and from a PE.

C1S1#traceroute 10.0.1.1 numeric

Type escape sequence to abort.
Tracing the route to 10.0.1.1

  1 172.17.0.0 28 msec 32 msec 20 msec
  2 172.17.0.6 [AS 65001] [MPLS: Label 19 Exp 0] 36 msec 28 msec 24 msec
  3 172.17.0.7 [AS 65001] 56 msec *  20 msec
PE1#traceroute vrf C1 10.0.1.1 numeric

Type escape sequence to abort.
Tracing the route to 10.0.1.1

  1 172.16.1.0 [MPLS: Labels 17/19 Exp 0] 20 msec 76 msec 12 msec
  2 172.17.0.6 [MPLS: Label 19 Exp 0] 24 msec 24 msec 12 msec
  3 172.17.0.7 12 msec *  68 msec

Step 6

ISP wants to protect their LDP sessions with a password. The LDP sessions do not have to be reset. They will use the MD5 protection as soons as it it configured.

PE1(config)#mpls ldp neighbor 1.1.1.1 password c1sc0
P1(config)#mpls ldp neighbor 1.1.1.2 password c1sc0
P1(config)#mpls ldp neighbor 1.1.1.3 password c1sc0
PE2(config)#mpls ldp neighbor 1.1.1.1 password c1sc0

Miscellanous commands for verification for BGP MPLS VPN and also LDP MD5

PE1#show ip bgp vpnv4 all
BGP table version is 16, local router ID is 1.1.1.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 65001:1 (default for vrf C1)
*> 10.0.0.0/24      172.17.0.1               0             0 65101 i
*>i10.0.1.0/24      1.1.1.3                  0    100      0 65102 i
*  172.17.0.0/31    172.17.0.1               0             0 65101 i
*>                  0.0.0.0                  0         32768 ?
*>i172.17.0.6/31    1.1.1.3                  0    100      0 ?
Route Distinguisher: 65001:2 (default for vrf C2)
*>i172.17.0.2/31    1.1.1.3                  0    100      0 ?
*  172.17.0.4/31    172.17.0.5               0             0 65200 i
*>                  0.0.0.0                  0         32768 ?
*>i192.168.0.0      1.1.1.3                  0    100      0 65200 i
*> 192.168.1.0      172.17.0.5               0             0 65200 i
PE1#show ip bgp vpnv4 vrf C1 summary
BGP router identifier 1.1.1.2, local AS number 65001
BGP table version is 16, main routing table version 16
4 network entries using 548 bytes of memory
5 path entries using 340 bytes of memory
13/8 BGP path/bestpath attribute entries using 1612 bytes of memory
3 BGP AS-PATH entries using 72 bytes of memory
2 BGP extended community entries using 48 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2620 total bytes of memory
BGP activity 10/0 prefixes, 12/0 paths, scan interval 15 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.17.0.1      4 65101      55      58       16    0    0 00:51:05        2
PE1#show ip bgp vpnv4 vrf C2 labels 
   Network          Next Hop      In label/Out label
Route Distinguisher: 65001:2 (C2)
   172.17.0.2/31    1.1.1.3         nolabel/21
   172.17.0.4/31    172.17.0.5      21/nolabel
                    0.0.0.0         21/aggregate(C2)
   192.168.0.0      1.1.1.3         nolabel/22
   192.168.1.0      172.17.0.5      22/nolabel
P1#show mpls ldp neighbor detail
    Peer LDP Ident: 1.1.1.3:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 1.1.1.3.57183 - 1.1.1.1.646; MD5 on
        State: Oper; Msgs sent/rcvd: 64/64; Downstream; Last TIB rev sent 10
        Up time: 00:49:25; UID: 1; Peer Id 0;
        LDP discovery sources:
          FastEthernet0/0; Src IP addr: 172.16.1.3 
            holdtime: 15000 ms, hello interval: 5000 ms
        Addresses bound to peer LDP Ident:
          172.16.1.3      1.1.1.3         
        Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab
    Peer LDP Ident: 1.1.1.2:0; Local LDP Ident 1.1.1.1:0
        TCP connection: 1.1.1.2.61847 - 1.1.1.1.646; MD5 on
        State: Oper; Msgs sent/rcvd: 63/65; Downstream; Last TIB rev sent 10
        Up time: 00:49:25; UID: 2; Peer Id 1;
        LDP discovery sources:
          FastEthernet1/0; Src IP addr: 172.16.1.1 
            holdtime: 15000 ms, hello interval: 5000 ms
        Addresses bound to peer LDP Ident:
          172.16.1.1      1.1.1.2         
        Peer holdtime: 180000 ms; KA interval: 60000 ms; Peer state: estab

Comments

A thread has been created on the site forum specifically for commenting on this blog post.

Files

starting configs
final configs
.net file